IIS 6.0 Win2003 Server asp login & security

I'm looking for a full working example, or even a purchased product, that will -

Have a login.asp page containing 2 text boxes (username & password). User submits page to authenticatepage.asp, where a database is searched to determine if it is a valid username & pwd. Depending on the username, a specific asp page will be opened. I need to use session objects (I think) since I cannot have the user bookmark the page and return to it without going through the logIn page.

Some of the pages for the user are asp and others are html.

Thanks

Malek103197Asked:
Who is Participating?
 
Coolhand2120Connect With a Mentor Commented:
Wow... well I can tell you that this is an odd script.  HTTP_REFERER is very very unreliable, %50 of the time it dosen't work.  It's supposed to return the URL of the page that sent the user to the current page.  If you want to put the user back to the page they just came from I'd use client side javascript location.history.  But I don't think you're intrested in this.

THIS:

<%
Dim HTTP_REFERRER
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
If Not(IsObject(Session("UID"))) Then
If Session("UID") = "" Then
HTTP_REFERRER = Request.ServerVariables("URL")
If Request.QueryString <> "" Then HTTP_REFERRER = HTTP_REFERRER & "?" & Request.QueryString
Response.Redirect "login.asp?HTTP_REFERRER=" & Server.URLEncode(HTTP_REFERRER)
End If
End If
%>


would be easier if it said:

<%

if request.cookies("userID") <> "" then
  userID = request.cookies("userID")
else
  response.redirect "logon.asp"
end if

%>



This:

<%
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
Dim HTTP_REFERRER, UserObject
Status = "Please log in."
HTTP_REFERRER = Request("HTTP_REFERRER")
If Request.Form("username") <> "" Then
If Login Then
Session("UID") = UserObject.Item("username")
'Set Session("UID") = UserObject
If HTTP_REFERRER  = "" Then
Response.Redirect "default.htm"
Else
Response.Redirect HTTP_REFERRER
End If
Else
Status = "Invalid Login... Please Try Again."
End If
End If

Function Login
Dim conn, rs, sql, dbFIle
dbFile = "login.mdb"
Set conn = Server.CreateObject("ADODB.Connection")
conn.open "driver={Microsoft Access Driver (*.mdb)};dbq=" & Server.MapPath(dbFile) & ";"
Set rs = Server.CreateObject("ADODB.Recordset")
sql = "SELECT * FROM users WHERE username = '" &
 Request.Form("Username") & "' AND password = '" & Request.Form("Password")& "'"
rs.Open sql, conn, 3, 3
If Not rs.EOF Then
Set UserObject = CreateObject("Scripting.Dictionary")
For each field in rs.Fields
UserObject.Add field.name, field.value
Next
Login = True
Else
Login = False
End If
rs.Close
set rs = nothing
conn.Close
set conn = nothing
End Function
%>


Would be easier if it said:
Your logon.asp page should have this script at the top

<%
if request.form("Username") <> "" then

'This block below will connect to your database to look up stuff
 Set rs = Server.CreateObject("ADODB.Recordset")
 rs.ActiveConnection = "driver={Microsoft Access Driver (*.mdb)};dbq=" & Server.MapPath("login.mdb") & ";"
 rs.Source = "Select * from users where username = '" & request.form("username") & "' and password = '" & request.form("password") & "'"
 rs.CursorType = 0
 rs.CursorLocation = 2
 rs.LockType = 1
 rs.Open()

  'If the recordset was empty (no matching username / password)
 if rs.eof or rs.bof then
   response.redirect "logon.asp?badpassword=1"    'This is where it would send users that type bad u/p
 else
   response.cookies("userID") = request.form("username")   'this sets the username into a cookie called "userID" which you can check later and see if its empty or not
   response.redirect "default.asp"  'Redirect to wherever you want to put the user after they logon correctly
 end if

'Clean up DB connection objects

  rs.close
  set rs = nothing

end if
%>

logon.asp should have this after the asp part:

<form method="post" action="logon.asp">

<input name="username" type="text">
<input name="password" type="password">
<input type="submit">

</form>

Sorry I pretty much rewrote your script there, if you still have probelms just post again!

-Coolhand2120
0
 
alorentzCommented:
What do you want?  This site is to help with problems....not write code for you.
0
 
Coolhand2120Commented:
Make an HTML page with the two text inputs (username & password) and a submit button.  Then in the form tag in the action property (<form action="****" where *** is your submit page).  This will send the user to this page when they click submit.  You'll need to connect to a database and because you don't specify what kind of database you wish to use, even if EE did write code for you....  Then you can use response.redirect to point the user to the 'logged on' page or the 'not logged on' page.

ANYHOW if you do know what your database is post it and I'll help with HOW to do it.  I'm totaly willing to spend an absurd amout of time teaching you how to create this.

I'd suggest using cookies, session objects are slow and unwieldy.
Don't forget !  Your in the ASP section of EE so we are assuming your using ASP and a server that can use ASP.
If you have no clue what I'm talking about, hire someone that does, you shouldn't be doing this.
Even if you purchse a program you'll still need to pruchase a database (SQL, Access etc.).

-Coolhand2120
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
Malek103197Author Commented:
Ok, I'm trying to make sense of this script...

The way interpret it, is that when a page is opened and there is not a session UID, the the user will be directed to the logIn page, but I'm not clear on what the author refers to HTTP_REFERRER.
Need a bit of help understanding this script.

Thanks

Every Page
The script is implemented by including the following code above the <html> tag of every page;

<%
Dim HTTP_REFERRER
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
If Not(IsObject(Session("UID"))) Then
If Session("UID") = "" Then
HTTP_REFERRER = Request.ServerVariables("URL")
If Request.QueryString <> "" Then HTTP_REFERRER = HTTP_REFERRER & "?" & Request.QueryString
Response.Redirect "login.asp?HTTP_REFERRER=" & Server.URLEncode(HTTP_REFERRER)
End If
End If
%>



Login.asp -
Script
If the script on the requested page determines that the UID session variable has not been set, the users is redirected to the login page. The login page contains the following code above the <html> tag;

<%
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
Dim HTTP_REFERRER, UserObject
Status = "Please log in."
HTTP_REFERRER = Request("HTTP_REFERRER")
If Request.Form("username") <> "" Then
If Login Then
Session("UID") = UserObject.Item("username")
'Set Session("UID") = UserObject
If HTTP_REFERRER  = "" Then
Response.Redirect "default.htm"
Else
Response.Redirect HTTP_REFERRER
End If
Else
Status = "Invalid Login... Please Try Again."
End If
End If

Function Login
Dim conn, rs, sql, dbFIle
dbFile = "login.mdb"
Set conn = Server.CreateObject("ADODB.Connection")
conn.open "driver={Microsoft Access Driver (*.mdb)};dbq=" & Server.MapPath(dbFile) & ";"
Set rs = Server.CreateObject("ADODB.Recordset")
sql = "SELECT * FROM users WHERE username = '" &
 Request.Form("Username") & "' AND password = '" & Request.Form("Password")& "'"
rs.Open sql, conn, 3, 3
If Not rs.EOF Then
Set UserObject = CreateObject("Scripting.Dictionary")
For each field in rs.Fields
UserObject.Add field.name, field.value
Next
Login = True
Else
Login = False
End If
rs.Close
set rs = nothing
conn.Close
set conn = nothing
End Function
%>
<html>
0
 
Malek103197Author Commented:
Thanks Coolhand2120, that is a lot simpler and very understandable.
0
 
Coolhand2120Commented:
NP.  Let me know if it works out for you.

-Coolhand2120
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.